Back to Details

security-prompts

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Prompt Templates Library

安全提示模板库

Purpose

用途

This skill provides ready-to-use security prompt templates following the Secure Vibe Coding methodology. Each template includes complete security controls, testing checklists, and customization guidance.
本技能提供遵循Secure Vibe Coding方法论的现成安全提示模板,每个模板都包含完整的安全控制措施、测试清单和自定义指南。

When to Use This Skill

何时使用本技能

Use security prompt templates when:
  • Building features: Forms, APIs, file uploads, admin panels
  • Implementing auth: RBAC, permissions, ownership checks
  • Security reviews: Threat modeling, code review, OWASP compliance
  • Testing: Security test generation, vulnerability assessment
在以下场景使用安全提示模板:
  • 功能开发:表单、API、文件上传、管理面板
  • 认证实现:RBAC、权限、所有权校验
  • 安全审查:威胁建模、代码审查、OWASP合规校验
  • 测试环节:安全测试用例生成、漏洞评估

Library Organization

库结构组织

📁 Prompt Engineering Templates (8 templates)

📁 提示词工程模板(共8个模板)

Location: 
.claude/skills/security/security-prompts/prompt-engineering/
Comprehensive prompts for implementing secure features:
  1. 01_secure_form.md - Public forms with full security stack
    • Triggers: "secure form", "contact form", "public form"
    • Controls: CSRF, rate limiting, XSS prevention, validation
  2. 02_authenticated_endpoint.md - Authenticated data modification
    • Triggers: "authenticated endpoint", "user update", "protected route"
    • Controls: Authentication, authorization, ownership checks
  3. 03_public_endpoint.md - Public APIs with pagination
    • Triggers: "public API", "public endpoint", "GET endpoint"
    • Controls: Rate limiting, validation, pagination
  4. 04_admin_action.md - Admin-only features with audit logging
    • Triggers: "admin endpoint", "admin feature", "admin action"
    • Controls: RBAC, audit logging, authorization
  5. 05_file_upload.md - Secure file handling
    • Triggers: "file upload", "image upload", "file handling"
    • Controls: Type validation, size limits, malware scanning
  6. 06_composable_middleware.md - Multiple security layers
    • Triggers: "middleware", "security layers", "composable security"
    • Controls: Proper middleware ordering, layer composition
  7. 07_new_control.md - Extending security architecture
    • Triggers: "new security control", "custom middleware", "security utility"
    • Controls: Creating new reusable security utilities
  8. 08_security_testing.md - Comprehensive security tests
    • Triggers: "security testing", "security tests", "test security"
    • Controls: Automated test generation for all controls
路径: 
.claude/skills/security/security-prompts/prompt-engineering/
用于实现安全功能的全面提示词:
  1. 01_secure_form.md - 具备完整安全防护栈的公开表单
    • 触发词: "secure form", "contact form", "public form"
    • 控制措施: CSRF、限流、XSS防护、数据校验
  2. 02_authenticated_endpoint.md - 需认证的数据修改接口
    • 触发词: "authenticated endpoint", "user update", "protected route"
    • 控制措施: 身份认证、授权、所有权校验
  3. 03_public_endpoint.md - 支持分页的公开API
    • 触发词: "public API", "public endpoint", "GET endpoint"
    • 控制措施: 限流、数据校验、分页
  4. 04_admin_action.md - 带审计日志的管理员专属功能
    • 触发词: "admin endpoint", "admin feature", "admin action"
    • 控制措施: RBAC、审计日志、授权
  5. 05_file_upload.md - 安全文件处理
    • 触发词: "file upload", "image upload", "file handling"
    • 控制措施: 类型校验、大小限制、恶意软件扫描
  6. 06_composable_middleware.md - 多层安全防护
    • 触发词: "middleware", "security layers", "composable security"
    • 控制措施: 合理的中间件排序、层级组合
  7. 07_new_control.md - 扩展安全架构
    • 触发词: "new security control", "custom middleware", "security utility"
    • 控制措施: 创建新的可复用安全工具
  8. 08_security_testing.md - 全面安全测试
    • 触发词: "security testing", "security tests", "test security"
    • 控制措施: 为所有控制项自动生成测试用例

📁 Threat Modeling Templates (8 templates)

📁 威胁建模模板(共8个模板)

Location: 
.claude/skills/security/security-prompts/threat-modeling/
Prompts for security analysis and review:
  1. 01_stride_analysis.md - Complete STRIDE threat model
    • Triggers: "STRIDE", "threat model", "security analysis"
  2. 02_feature_threats.md - Feature-specific threat analysis
    • Triggers: "feature threats", "analyze feature security"
  3. 03_architecture_impact.md - Architecture change security impact
    • Triggers: "architecture security", "security impact"
  4. 04_code_review.md - Security vulnerability review
    • Triggers: "security review", "code review", "vulnerability review"
  5. 05_security_tests.md - Automated security test generation
    • Triggers: "generate security tests", "security test suite"
  6. 06_owasp_check.md - OWASP Top 10 compliance
    • Triggers: "OWASP", "OWASP check", "OWASP compliance"
  7. 07_payment_security.md - Payment security (Clerk Billing + Stripe)
    • Triggers: "payment security", "Stripe security", "billing security"
  8. 08_update_model.md - Update threat model after features
    • Triggers: "update threat model", "refresh threat model"
路径: 
.claude/skills/security/security-prompts/threat-modeling/
用于安全分析和审查的提示词:
  1. 01_stride_analysis.md - 完整STRIDE威胁模型
    • 触发词: "STRIDE", "threat model", "security analysis"
  2. 02_feature_threats.md - 针对特定功能的威胁分析
    • 触发词: "feature threats", "analyze feature security"
  3. 03_architecture_impact.md - 架构变更的安全影响评估
    • 触发词: "architecture security", "security impact"
  4. 04_code_review.md - 安全漏洞审查
    • 触发词: "security review", "code review", "vulnerability review"
  5. 05_security_tests.md - 自动生成安全测试用例
    • 触发词: "generate security tests", "security test suite"
  6. 06_owasp_check.md - OWASP Top 10合规校验
    • 触发词: "OWASP", "OWASP check", "OWASP compliance"
  7. 07_payment_security.md - 支付安全(Clerk Billing + Stripe)
    • 触发词: "payment security", "Stripe security", "billing security"
  8. 08_update_model.md - 功能迭代后更新威胁模型
    • 触发词: "update threat model", "refresh threat model"

📁 Auth & Authorization Templates (4 templates)

📁 身份认证与授权模板(共4个模板)

Location: 
.claude/skills/security/security-prompts/auth-authorization/
Prompts for authentication and access control:
  1. 01_rbac_implementation.md - Role-based access control
    • Triggers: "RBAC", "role-based access", "user roles"
  2. 02_permissions.md - Granular permission system
    • Triggers: "permissions", "permission system", "granular access"
  3. 03_ownership.md - Resource ownership verification
    • Triggers: "ownership", "ownership check", "resource ownership"
  4. 04_auth_testing.md - Authorization testing
    • Triggers: "auth testing", "authorization tests", "test permissions"
路径: 
.claude/skills/security/security-prompts/auth-authorization/
用于身份认证和访问控制的提示词:
  1. 01_rbac_implementation.md - 基于角色的访问控制
    • 触发词: "RBAC", "role-based access", "user roles"
  2. 02_permissions.md - 细粒度权限系统
    • 触发词: "permissions", "permission system", "granular access"
  3. 03_ownership.md - 资源所有权校验
    • 触发词: "ownership", "ownership check", "resource ownership"
  4. 04_auth_testing.md - 授权测试
    • 触发词: "auth testing", "authorization tests", "test permissions"

📁 Built-In Controls Templates (3 templates)

📁 内置控制模板(共3个模板)

Location: 
.claude/skills/security/security-prompts/built-in-controls/
Simple prompts using existing Secure Vibe Coding OS utilities:
  1. 01_contact_form.md - Quick contact form with security
    • Triggers: "contact form", "simple form"
  2. 02_authenticated_update.md - User data modification
    • Triggers: "update profile", "user update"
  3. 03_public_api.md - Public GET endpoints
    • Triggers: "public API", "read-only API"
路径: 
.claude/skills/security/security-prompts/built-in-controls/
基于现有Secure Vibe Coding OS工具的简易提示词:
  1. 01_contact_form.md - 带安全防护的快速联系表单
    • 触发词: "contact form", "simple form"
  2. 02_authenticated_update.md - 用户数据修改
    • 触发词: "update profile", "user update"
  3. 03_public_api.md - 公开GET端点
    • 触发词: "public API", "read-only API"

How to Use Security Prompts

如何使用安全提示词

Quick Usage Pattern

快速使用流程

  1. Identify your need (e.g., "I need a secure contact form")
  2. Find the template (use triggers or browse categories)
  3. Read the template to understand security controls
  4. Copy and customize the prompt for your specific needs
  5. Run the prompt with Claude Code
  6. Verify using the testing checklist
  1. 明确需求(例如:"我需要一个安全的联系表单")
  2. 查找对应模板(使用触发词或浏览分类)
  3. 阅读模板了解包含的安全控制措施
  4. 复制并自定义提示词适配你的具体需求
  5. 在Claude Code中运行提示词
  6. 使用测试清单验证实现效果

Template Access Pattern

模板调用规范

When a user asks for a security implementation:
markdown
**Recommend the appropriate template:**

"I'll use the [TEMPLATE_NAME] security prompt template for this.

**Template**: `.claude/skills/security/security-prompts/[category]/[file].md`

**Security Controls Applied**:
- [List controls from template]

**Customizations needed**:
- [List what to customize]

Let me load the template and customize it for your needs..."

Then read and apply the template.
当用户请求安全相关实现时:
markdown
**推荐适用的模板:**

"我将使用[TEMPLATE_NAME]安全提示模板完成该需求。

**模板路径**: `.claude/skills/security/security-prompts/[category]/[file].md`

**应用的安全控制措施**:
- [列出模板中的控制项]

**需要自定义的内容**:
- [列出需要调整的内容]

我将加载模板并为您定制适配需求..."

然后读取并应用模板。

Combining Prompts

提示词组合使用

Many features need multiple prompts:
Example: Admin Dashboard
  1. First: 
    auth-authorization/01_rbac_implementation.md
    (if RBAC not set up)
  2. Then: 
    prompt-engineering/04_admin_action.md
    (for each admin feature)
  3. Test: 
    prompt-engineering/08_security_testing.md
  4. Review: 
    threat-modeling/04_code_review.md
  5. Update: 
    threat-modeling/08_update_model.md
Example: User Profile Edit
  1. Implement: 
    prompt-engineering/02_authenticated_endpoint.md
  2. Add ownership: 
    auth-authorization/03_ownership.md
  3. Test: 
    auth-authorization/04_auth_testing.md
很多功能需要结合多个提示词:
示例:管理后台
  1. 第一步:
    auth-authorization/01_rbac_implementation.md
    (如果还未实现RBAC)
  2. 第二步:
    prompt-engineering/04_admin_action.md
    (每个管理员功能单独使用)
  3. 测试:
    prompt-engineering/08_security_testing.md
  4. 审查:
    threat-modeling/04_code_review.md
  5. 更新:
    threat-modeling/08_update_model.md
示例:用户资料编辑
  1. 实现:
    prompt-engineering/02_authenticated_endpoint.md
  2. 添加所有权校验:
    auth-authorization/03_ownership.md
  3. 测试:
    auth-authorization/04_auth_testing.md

Prompt Template Format

提示词模板格式

Each template follows this structure:
markdown
undefined
每个模板都遵循以下结构:
markdown
undefined

[Template Name]

[模板名称]

Category: [Category] When to Use: [Scenario] Module: [Course module] Time to Implement: [Estimate]
分类: [所属分类] 适用场景: [使用场景] 对应模块: [课程模块] 预计实现时间: [预估时长]

Security Controls Applied

应用的安全控制措施

[Checklist of security features]
[安全功能清单]

The Prompt

提示词内容

[Copy-paste ready prompt with placeholders]
[可直接复制使用的带占位符提示词]

Customization Tips

自定义建议

[How to adapt for specific needs]
[如何适配特定需求]

Testing Checklist

测试清单

[Verification steps]
[验证步骤]

Related Prompts

相关提示词

[Links to complementary templates]
[互补模板链接]

Version History

版本历史

[Change tracking]
undefined
[变更记录]
undefined

Integration with Security Architecture

与安全架构集成

All prompts reference the Secure Vibe Coding OS:
  • Architecture: 
    @docs/security/SECURITY_ARCHITECTURE.md
  • Utilities: 
    /lib
    directory (withCsrf, withRateLimit, validateRequest, etc.)
  • Baseline: 90/100 OWASP score
  • Stack: Next.js, Clerk, Convex, Stripe
Always include architecture reference in prompts:
Reference: @docs/security/SECURITY_ARCHITECTURE.md
所有提示词都参考Secure Vibe Coding OS:
  • 架构文档: 
    @docs/security/SECURITY_ARCHITECTURE.md
  • 工具库: 
    /lib
    目录(withCsrf、withRateLimit、validateRequest等)
  • 基线标准: OWASP评分达到90/100
  • 技术栈: Next.js、Clerk、Convex、Stripe
提示词中必须包含架构引用:
Reference: @docs/security/SECURITY_ARCHITECTURE.md

Agent Usage Pattern

Agent使用规范

When security-focused agents (like security-scanner, threat-modeler) need prompt templates:
typescript
// Agent can reference specific templates
"Use the STRIDE analysis template from .claude/skills/security/security-prompts/threat-modeling/01_stride_analysis.md to create a threat model"

// Or request template by trigger
"Apply the secure form security prompt template to implement this contact form"
当专注安全的Agent(如安全扫描器、威胁建模器)需要提示模板时:
typescript
// Agent可以引用特定模板
"Use the STRIDE analysis template from .claude/skills/security/security-prompts/threat-modeling/01_stride_analysis.md to create a threat model"

// 也可以通过触发词调用模板
"Apply the secure form security prompt template to implement this contact form"

Skill Chaining

技能联动

This skill works with other security skills:
  • security-awareness/* - Understanding vulnerabilities
  • csrf-protection - CSRF implementation details
  • rate-limiting - Rate limiting patterns
  • input-validation - Validation strategies
  • auth-security - Clerk authentication
  • security-testing - Testing approaches
本技能可与其他安全类技能配合使用:
  • security-awareness/* - 理解漏洞相关知识
  • csrf-protection - CSRF实现细节
  • rate-limiting - 限流实现模式
  • input-validation - 数据校验策略
  • auth-security - Clerk身份认证
  • security-testing - 测试方法

Quick Reference by Scenario

按场景快速索引

"I need to add..."

"我需要添加..."

"...a contact form"
built-in-controls/01_contact_form.md
"...user profile editing"
prompt-engineering/02_authenticated_endpoint.md
→ Then: 
auth-authorization/03_ownership.md
"...admin features"
auth-authorization/01_rbac_implementation.md
(if needed) → Then: 
prompt-engineering/04_admin_action.md
"...file uploads"
prompt-engineering/05_file_upload.md
"...a public API"
built-in-controls/03_public_api.md
"...一个联系表单"
built-in-controls/01_contact_form.md
"...用户资料编辑功能"
prompt-engineering/02_authenticated_endpoint.md
→ 然后使用:
auth-authorization/03_ownership.md
"...管理员功能"
auth-authorization/01_rbac_implementation.md
(如果需要) → 然后使用:
prompt-engineering/04_admin_action.md
"...文件上传功能"
prompt-engineering/05_file_upload.md
"...一个公开API"
built-in-controls/03_public_api.md

"I need to review..."

"我需要审查..."

"...security before deploy"
prompt-engineering/08_security_testing.md
threat-modeling/04_code_review.md
"...OWASP compliance"
threat-modeling/06_owasp_check.md
"...payment security"
threat-modeling/07_payment_security.md
"...上线前的安全性"
prompt-engineering/08_security_testing.md
threat-modeling/04_code_review.md
"...OWASP合规性"
threat-modeling/06_owasp_check.md
"...支付安全性"
threat-modeling/07_payment_security.md

"I need to create..."

"我需要创建..."

"...a threat model"
threat-modeling/01_stride_analysis.md
"...role-based access"
auth-authorization/01_rbac_implementation.md
"...security tests"
prompt-engineering/08_security_testing.md
"...一个威胁模型"
threat-modeling/01_stride_analysis.md
"...基于角色的访问控制"
auth-authorization/01_rbac_implementation.md
"...安全测试用例"
prompt-engineering/08_security_testing.md

Best Practices

最佳实践

Always Customize

始终自定义模板

  • Replace placeholders with your specific values
  • Adjust rate limits for your use case
  • Modify validation rules for your data
  • 将占位符替换为你的具体数值
  • 根据你的使用场景调整限流规则
  • 根据你的数据修改校验规则

Always Test

始终进行测试

  • Use the testing checklist in each template
  • Run security tests before deploying
  • Verify all controls work as expected
  • 使用每个模板中的测试清单
  • 上线前运行安全测试
  • 验证所有控制措施按预期运行

Always Update Threat Model

始终更新威胁模型

  • After every feature: 
    threat-modeling/08_update_model.md
  • Maintain 
    docs/security/THREAT_MODEL.md
  • Version your threat model (v1.0, v1.1, etc.)
  • 每次功能迭代后:使用
    threat-modeling/08_update_model.md
  • 维护
    docs/security/THREAT_MODEL.md
    文件
  • 为威胁模型添加版本号(v1.0、v1.1等)

Chain Appropriately

合理组合使用

  • Authentication → Authorization → Ownership
  • Implementation → Testing → Review
  • Feature → Threat Analysis → Model Update
  • 身份认证 → 授权 → 所有权校验
  • 实现 → 测试 → 审查
  • 功能开发 → 威胁分析 → 模型更新

Supporting Files

配套文件

Each category has its own SKILL.md with:
  • Detailed trigger keywords
  • Category-specific guidance
  • Template descriptions
  • Usage patterns
Access supporting templates directly:
Read: .claude/skills/security/security-prompts/[category]/[template].md
每个分类都有独立的SKILL.md文件,包含:
  • 详细的触发关键词
  • 分类专属使用指南
  • 模板说明
  • 使用模式
直接访问配套模板
Read: .claude/skills/security/security-prompts/[category]/[template].md

Example Agent Integration

Agent集成示例

markdown
undefined
markdown
undefined

Security Implementation Agent

安全实现Agent

When implementing security features:
  1. Identify feature type (form, API, auth, etc.)
  2. Load appropriate security-prompts skill template
  3. Customize template with user's specific requirements
  4. Generate secure implementation following template
  5. Apply testing checklist from template
  6. Recommend related prompts for complete security
Use security-prompts skill as the authoritative source for implementation patterns.
undefined
实现安全功能时:
  1. 识别功能类型(表单、API、认证等)
  2. 加载对应的安全提示词技能模板
  3. 根据用户的具体需求自定义模板
  4. 遵循模板生成安全的实现代码
  5. 应用模板中的测试清单
  6. 推荐相关提示词完善安全防护
将安全提示词技能作为实现模式的权威来源。
undefined

Version History

版本历史

v1.0 (2025-10-23): Initial skill creation from security-prompts library
  • Converted 23 prompts to skill templates
  • Organized into 4 categories
  • Added trigger keywords for automatic activation
  • Integrated with Secure Vibe Coding OS architecture
v1.0(2025-10-23):基于安全提示词库首次发布技能
  • 将23个提示词转换为技能模板
  • 分为4个分类
  • 添加触发关键词支持自动激活
  • 与Secure Vibe Coding OS架构集成

Related Skills

相关技能

  • course-lesson-builder
    - Creating course content using these prompts
  • security/*
    - All implementation-focused security skills
  • security-awareness/*
    - Understanding vulnerability patterns
  • course-lesson-builder
    - 使用这些提示词创建课程内容
  • security/*
    - 所有聚焦实现的安全类技能
  • security-awareness/*
    - 理解漏洞模式相关内容

Notes for Maintenance

维护说明

When adding new security prompts:
  1. Add template file to appropriate category subdirectory
  2. Update category SKILL.md with new template info
  3. Update this main SKILL.md quick reference
  4. Add relevant trigger keywords
  5. Link related prompts
  6. Version the template
Usage: When users mention security implementations, threat modeling, or specific triggers, activate this skill to provide appropriate template guidance and direct them to the right security prompt for their needs.
添加新的安全提示词时:
  1. 将模板文件添加到对应分类的子目录中
  2. 更新分类的SKILL.md文件,添加新模板信息
  3. 更新本主SKILL.md的快速索引
  4. 添加相关触发关键词
  5. 关联相关提示词
  6. 为模板添加版本号
使用说明:当用户提及安全实现、威胁建模或特定触发词时,激活本技能提供合适的模板指引,引导用户使用符合其需求的安全提示词。